Cross-Site Script Inclusion

However, a malicious website can import your JavaScript code. If a user visits such a malicious site after logging into your site, the site owner will be able to read the user's API key simply by importing your JavaScript file!

hacked.html

   <script>

  /**
   * If an this script is hosted on an attacker's website, and one of your
   * users is tricked into visiting that site...
   */
  fetch('https://www.yourwebsite.com/js/bundle.js')
   .then(response => {
     /**
      * ...the attacker extract the API key here, and start impersonating
      * your user.
      */
   });

</script> 